Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY ¡ Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2022-41082 PoC — Microsoft Exchange Server Remote Code Execution Vulnerability

Source
https://github.com/CyprianAtsyor/LetsDefend-CVE-2022-41082-Exploitation-Attempt
Associated Vulnerability
Title:Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2022-41082)
Description:Microsoft Exchange Server Remote Code Execution Vulnerability
Readme
# LetsDefend-CVE-2022-41082-Exploitation-Attempt

## 🛡️ Incident Report: CVE-2022-41082 Exploitation Attempt  

### 📅 Date: Sep 30, 2022  
### 🕒 Time: 07:19 AM  
### 🚨 Severity: High  
### 🆔 Incident ID: 125  

---

## 📊 Details  
| Key Attribute               | Value                                                                                                              |
|----------------------------|----------------------------------------------------------------------------------------------------------------------|
| **Event ID**               | 125                                                                                                                 |
| **Event Time**             | Sep 30, 2022, 07:19 AM                                                                                                |
| **Rule**                   | SOC175 - PowerShell Found in Requested URL                                                                            |
| **Level**                  | Security Analyst                                                                                                      |
| **Hostname**               | Exchange Server 2                                                                                                     |
| **Destination IP Address** | 172.16.20.8                                                                                                           |
| **Log Source**             | IIS                                                                                                                  |
| **Source IP Address**      | 58.237.200.6                                                                                                           |
| **Request URL**            | `/autodiscover/autodiscover.json?@evil.com/owa/&Email=autodiscover/autodiscover.json%3f@evil.com&Protocol=XYZ&FooProtocol=Powershell` |
| **HTTP Method**            | GET                                                                                                                  |
| **User-Agent**             | Mozilla/5.0 zgrab/0.x                                                                                                 |
| **Action**                 | Blocked                                                                                                              |
| **Alert Trigger Reason**   | Request URL Contains PowerShell                                                                                       |  

---
### How it looks on the SIEM Tool(LetsDefend)
![Alert](./alert1.png)

---
### What is CVE-2022-41082?? Lets Get to Know what CVE-2022-41082 Exploitation is, because i dont know either 😄 lol

CVE-2022-41082 is a critical Remote Code Execution (RCE) vulnerability affecting Microsoft Exchange Server. It was discovered in September 2022 and is often exploited in conjunction with CVE-2022-41040, forming part of the ProxyNotShell exploit chain.
- It affected versions like:
- **Microsoft Exchange Server 2013**
- **Microsoft Exchange Server 2016**
- **Microsoft Exchange Server 2019**


### ⚠️ Vulnerability Details  
The **CVE-2022-41082** vulnerability is triggered when an attacker can access the **PowerShell endpoint** on an exposed **Exchange Server**.  

Attackers can escalate privileges and execute **arbitrary commands** on the server through **PowerShell remoting**.  
This vulnerability is typically exploited via a **crafted URL** that bypasses authentication checks when combined with **CVE-2022-41040** (an SSRF vulnerability).  

---

### 🔗 Exploit Chain (ProxyNotShell)  
1. **CVE-2022-41040 (SSRF)**: Bypasses authentication.  
2. **CVE-2022-41082 (RCE)**: Executes commands remotely via PowerShell.  

---

### 💥 Impact  
- **Full system compromise.**  
- Attackers can install **malware**, create **backdoors**, and move **laterally** within the network.  
- Often used to deploy **web shells** or **ransomware**.  

---

### 🔍 Mitigation  
- Apply the latest patches from Microsoft.  
- Restrict access to the **PowerShell endpoint** and Network segmentation.  
- Monitor suspicious **URL patterns** and **PowerShell activity** on the server.  

---

### Detection (How we detect this expoitation)
1. Log Analysis:
   - Check IIS logs for suspicious patterns like, **'C:\inetpub\logs\LogFiles\W3SVC1'**
   - Look for requests containing **autodiscover.json** or **PowerShell** URLs.
2. Indicators of Compromise (IoCs):
   - Unusual processes running as the Exchange server user.
   - Suspicious PowerShell command executions.
   - Web shell files located in: **`'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\'`**
4. Memory and Process Monitoring:
   - Identify unexpected child processes from w3wp.exe (IIS Worker Process).
   - Look for PowerShell instances triggered via IIS. 

 ---
 ## CVE Record Information
 ![CVE](./RecordInf.png)

 --- 
## Summary
On **September 30, 2022**, at **07:19 AM**, an attempted exploitation targeting **Exchange Server 2** was detected and blocked. The event, identified as **EventID: 125**, was triggered by the rule **SOC175 - PowerShell Found in Requested URL**, indicating a possible exploitation of **CVE-2022-41082**. The suspicious request was sent from IP **58.237.200.6**, associated with **SK Broadband Co Ltd** in **Daegu, South Korea**, and has been previously reported for **brute force SSH attacks**. The attacker attempted to exploit the **Autodiscover endpoint** to execute **PowerShell commands** remotely.

The attack leveraged the **ProxyNotShell** vulnerability chain, specifically **CVE-2022-41040 (SSRF)** and **CVE-2022-41082 (RCE)**, allowing attackers to potentially execute arbitrary commands via **PowerShell remoting**. The request was identified as malicious due to the presence of **PowerShell URIs** in the URL and the use of the **zgrab user-agent**, indicative of automated scanning or exploitation attempts. The attack was successfully blocked, preventing potential **remote code execution** and system compromise.

To mitigate this threat, it is essential to ensure that all **Exchange Servers are patched** and that **URL rewrite rules** are applied to block known malicious patterns. Additionally, implementing enhanced **log monitoring and IP blocking** for the identified threat actor will help prevent future attempts. Restricting **external access to Autodiscover endpoints** and disabling **Remote PowerShell for non-administrative accounts** are recommended. Ongoing vigilance and monitoring are crucial to identifying and mitigating similar threats in the future.

---

### Screenshoots
![AbuseIP](./Ap.png)
![Endpoint](./endpoint.png)
![Endpoint](./endpoint1.png)
![Result](./closed.png)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →